﻿Are you on Facebook? Do you use Twitter? Have you ever heard of LinkedIn? Whether you are a savvy social media user or just contemplating your first post, this whitepaper from NetworkWorld will help you recognize the risks of using social media, while also helping you identify ways to protect your personal data and/or company information.

If you thought your laptop was the only mobile device that could be infected by malware, think again.

Did you know that your Android Smartphone can also become infected? According to a recent SecurityWeek article, incidents of Android malware are on the rise. Droid lovers will have to unite and diligently monitor the latest malware trends if we are to keep our smartphones safe.

Have you ever dabbled in Firefox, Chrome or Opera web browsers? These are all popular alternatives to Internet Explorer (IE).

Firefox (FF) burst onto the scene a few years ago as a vibrant successor to the aging Netscape communicator. What made Firefox unique is that, unlike the largely monolithic structure of IE, Firefox is built in layers like an onion. There is a small kernel of basic browser functionality and then some default outer layers that give it the familiar FF look and feel. But because of this onion-like structure, and because it is open-source software, users that had the technical skills could modify just about anything else about it! By far the most popular way to modify it was to add visual themes to change the shape and location of buttons and the overall color scheme. The next most popular modification was so-called add-ons. Add-ons change the fundamental way the browser works and, for our purposes, how security and privacy aspects function.

On behalf of their end users, security-oriented developers knew that browsers are one of the primary conduits for malware to get onto and take over systems and their contents. But with FF’s architecture they realized they could enhance browser security by leveraging the fact that add-ons “have dibs on seeing” incoming web site content as it comes into the browser kernel! Thus, add-ons could give the user back control over their privacy and security. As always – these add-ons do cost a little more in terms of user attention to their configuration and alerts. But such is the price of increased control. By and large the suggested add-ons below do an exemplary job of letting users tune them so security and privacy is improved without being overous.

So, here are some of my favorite FF add-ons that will raise your awareness of all things security and privacy on the web:

LastPass – truly superior, genuinely secure, browser password vault

If you allow your browser to save your web site account names and passwords then you should switch from the built-in function to using LastPass. LastPass uses genuinely strong encryption methods to encrypt your personal information. Furthermore, all the encryption is based on your master pass phrase, which only you know, and all of your information is encrypted before leaving your local system – not on the LastPass web server! This means that even LastPass employees have no access to your information (nor would anyone that successfully hacked them). However, because your personal info is stored “in the cloud” all of your personal information is available across different browsers (FF, Chrome, IE) and across different systems (work, home, mobile).

Adblock Plus – eliminates ads in your browser, period, end-of-story

Without screwing up the appearance web pages, AdBlock Plus simply eliminates 99% of ads from your browsing experience. It is highly controllable via a little pull down menu so if you go to, say a not for profit web site that you know is ad-supported, you can tell it to not block ads on that site. This is security-related only insofar as that ads are a conduit for spyware entering your browser. In addition to turning on your browser’s pop-up blocker this will go a long way towards improving security and lessening annoying unsolicited ads. As a side effect, it will also speed up web page loading times.

Collusion shows you what companies are collecting information from your browser about where you go on the Net. The graph is color coded to distinguish between the web site you went to for content (e.g., www.nytimes.com) versus partner sites which collect information about where you have been on the web (e.g. doubleclick.com). It literally connects the dots so you can understand how the NYTimes is connected to CNN through both having cut deals with some third party tracker like Google’s DoubleClick subsidiary. It’s purely informational, but when combined with No-Script below, it gives you control over who can learn what about your browsing.

Certificate Patrol – detects changes to secure browsing certificates (websites you access via HTTPS) For those not familiar with HTTPS certificates, they are the heart and soul of how your browser decides it is safe for you to trust that the web site you are buying a new golf club from really is Callaway’s web site. Certificate Patrol is a mostly passive/informational. It tells you about the certificates your browser has seen and what has changed about them since the last time your browser was at that site. So, while it is just nerdy to find it is interesting to discover that Google uses several certificate authorities for different Google products (Google+, Gmail, Google Apps, etc.), it is concretely security enhancing that it will tell you if a site’s certificates are either revoked (by the signing certificate authority), expired or forged before you input your credit card information!

Of these add-ons, NoScript is the most in-your-face. However, in exchange for a little bit of extra interaction with web pages you gain a ton of awareness and/or control about what third party web sites your browser is “secretly” interacting with on virtually every web page you visit! That’s right – virtually all commercial web sites have links or bits of JavaScript embedded in them which, if allowed to execute, send information about you, and the page you just landed on, off to third parties. NoScript takes the attitude that the user should remain in control of their browser communicates, therefore, by default, it stops script execution. As with the other extensions mentioned it provides a drop-down menu that lets you control which site’s scripts to allow. This is a little annoying at first since it interrupts the seamless loading of a lot of web sites. However, it has options that allow you to tune it’s default behavior to be significantly less intrusive. In any case, the information about all the different linkages to third party tracking sites, etc. is a real eye-opener! If you install it with the aforementioned Collusion extension you will start to see patterns of firms that track you as you browse the Net! Another nifty feature, if you have no idea which of these “third parties” (the ones in the NoScript drop down menu) to trust, you can shift-click on their names to research, from a variety of trusted sources, what each one has a reputation for doing with tracked information such as shopping your email address around or selling information about which ads you click on.

You can get these add-ons to FF by using the Tools >> Add-ons menu item, and searching for each by name. Then follow the installation procedure for each. To remove an add-on on FF, just go to Tools >> Options >> General tab >> Manage Add-ons button.

What are your favorite security and privacy related plug-ins for FF or other browsers?

Credit to Steve Gibson of Gibson Research for pointing out some of these add-ons by name in his excellent Security Now! podcast (part of the This Week in Tech network of podcasts): http://grc.com.

John Brady is Information Security Architect Engineer at Westfield Insurance.

If you are one of the many Americans who use an unsecured Wi-Fi network at home, then this blog is for you. You know who you are. At this very moment you are shifting uncomfortably in your seat thinking … how bad is it really?

And for all those readers who are disdainfully thinking that only a three-legged alien from Mars would be crazy enough to use an unsecured Wi-Fi network at home, let me ask you this … how many of us have been enticed to frequent certain establishments because they advertise ‘free Wi-Fi’? You know how it is. You’ve just dropped your child off at piano lessons, and with 45 minutes to kill you decide to visit your favorite café to curl up with a cup of java and use the ‘free Wi-Fi’ to update your Facebook page. All the while thinking you're safe as long as you don’t do any online banking on this Wi-Fi network.

Unfortunately, any semblance of "safe surfing" from any type unsecured Wi-Fi network is about to be debunked.

In a June 22, 2011 article published by SecurityWeek.com, titled “How Logging On From Starbucks Can Compromise Your Corporate Security”, author Ram Mohan describes three methods that hackers use to maliciously gather data from web enabled devices. While Ram focuses on the potential theft of corporate data, you can easily apply his message to understand all the ways in which your personal data may also be vulnerable to attacks when using an unsecured Wi-Fi network.

Safe Surfing Tips

In response, we’ve provided a few quick "safe surfing" tips:

First and foremost, whenever possible, use only SECURE Wi-Fi networks. Always feel free to ask the establishment or hotspot owner if their Wi-Fi network is secure. If your device shows several Wi-Fi network names, ask the proprietor which one belongs to their establishment. Never use an unsecured Wi-Fi network when you don’t know who the owner is – this is a very common way for hackers to pick-up victims’ traffic!

If your device is configured to auto-connect to Wi-Fi, consider enabling the notification feature in your Wi-Fi network settings. Once this is done, your device will prompt you prior to connecting to an unsecured/open Wi-Fi hotspot. This will keep you in control of which of the available networks your device is connecting to. You may also prohibit your device from automatically connecting to Wi-Fi hotspots. See your device’s user manual under Wi-Fi settings for instructions. Many user manuals may be found online.

Whenever possible use the secure/encrypted version of whatever site you are surfing. When you see ‘https’ in the web address, the ‘s’ actually signifies ‘secure’. For sites where you already have accounts such as Gmail or Facebook, you can find out how to connect to the secure/encrypted version typically by reviewing the website’s privacy or security settings once you are logged in. These settings are usually found via a link on the front page of the site. Sometimes you have to poke around a bit. Not all sites have this option. Don’t forget to save your new settings!

Whenever banking, ALWAYS verify that the web address begins with https and make sure your browser does not warn you that there is anything unusual about the certificate in use! If you see a warning or the login page is not https, call your bank immediately.

Always explicitly ‘log out’ or ‘sign out’ from your favorite websites and wait for the page confirming that you are logged out to load. Simply clicking the “X” to close your Facebook page is not enough especially when using a public system as in a library or Internet café. (Internet cafés are very popular abroad).

Be wary of downloads! Do not blindly download files or software from the Internet, as they may infect your computer with a variety of malware. When in doubt, contact the website from which you want to download – and ask whether or not the download is secure.

If something seems too good to be true – it probably is. Be wary of all pop ups; and especially wary of ones that say “you’ve just won a grand prize” or “click here to retrieve your free gift”. Pop ups, like downloads, can carry malware to your computer! Make sure your browser has a pop-up blocker – and USE IT!

What questions do you have about unsecured Wi-Fi networks? Post your questions in the comments and we'll post an answer!

Skimming is one of the fastest growing issues to plague the credit industry, with skimming related losses estimated in the billions. Recent reports suggest increased skimming activity attributed to the advanced development of efficient techniques for locally installing skimming devices on hundreds of credit card input devices (ATMs, gas pumps, POS systems). Help safeguard yourself from becoming a statistic with safety tips found in this issue of Westfield Bank's Fraud Awareness Series: Card Skimming.

Citibank is the latest in a string of companies to fall victim to online data breaches impacting millions of consumers. Perhaps then it should be no surprise that the U.S. Department of Commerce has issued a report encouraging a ‘Code of Conduct’ for I-Commerce. This comes almost a month after the Obama Administration's Cybersecurity Legislative Proposal, which includes concepts such as National Data Breech Reporting.

Typically in the U.S., not-for-profit professional standards organizations write codes of conduct/ethics for the Information Security profession. For example, members of the Information Systems Audit and Control Association, ISACA, are guided by a Professional Code of Ethics while members of the International Information Systems Security Certification Consortium, Inc., (ISC)2, may follow this Code of Ethics. Many IT professionals belong to multiple organizations and implicitly sign-off on their respective Codes of Conduct when they enroll.

The Insurance Journal recently highlighted the plight of business owners everywhere and the Department of Commerce's subsequent proposal in this June 9, 2011 article.

What do you think about the Cybersecurity Legislative Proposal and the Department of Commerce's proposed Code of Conduct? Are they enough to protect our data?

Cyber threats are constantly changing and present challenges for both individuals and business owners. Most people only think of cyber threats in relation to their home computer, perhaps when banking on-line or making a purchase over the Net. But did you know businesses are just as vulnerable?

Don't let your agency become a cyber crime statistic. In a recent article for the Agent's Council for Technology, Danielle Johnson, VP of InsurBanc, suggests several steps to protect personal privacy, banking information, and agency data, including adoption of recent advancements in banking security.

In this issue of Westfield Bank's Fraud Awareness Series, we continue the theme of being on the lookout for email-based attempts to capture your online banking account information. Check out this short list of easy-to implement-tips that will help you prevent outsiders from accessing your account and help detect when they may have done so.

Our blog team has a goal to provide insight, tips and resources to help you* effectively manage the data security risks in your business.

We want to hear from you - please let us know your answers to these 3 questions by commenting below!

What information security and data topics are on your mind?

What is your biggest concern about data security?

What do you need to know to adequately prepare your company for a business interruption?

We'll do our best to answer your questions and address your information security concerns on this blog. Thanks for reading!

*Who do we mean by "you"? If you own a business (of any kind), manage the operations of a business, or have interest in protecting businesses and consumers from data security risk, then this blog is for you! We'd love to hear your thoughts on the questions above.

The other day at lunch, we saw yet another commercial asking people to "sell us your gold". As data security professionals, our conversation naturally turned to the various ways to convince people to give up their valuables. One of my coworkers mentioned that the gold commercial was a lot like a phishing email.

Do you know how to watch out for a phishing scam?

According to a new resource from Westfield Bank, "Phishing is a way of attempting to acquire sensitiveinformation such as usernames, passwords and credit carddetails by masquerading as a trustworthy entity in anelectronic communication."

Westfield Bank's Safety Patrol has created this resource on Phishing as part of its Fraud Awareness Series. It contains some great tips to avoid being a victim of someone trying to steal your personal data through a phishing attack.

Jake Harris has held lead roles in Network Administration, Vulnerability and Forensics, and Disaster Recovery and has been instrumental in the development and implementation of numerous key projects and process changes at Westfield. In addition to a degree in Information Systems, Jake also holds several certifications, including Microsoft Certified Professional (MCP) and Cisco Certified Network Associate (CCNA).

The Android team was informed of a number of malicious apps published to the Android Market last week. The apps were quickly removed from the Market, and they are in the process of removing the apps from devices.

The apps used a known vulnerability that affects versions prior to Android 2.2.2. It is believed that the attacker(s) were able to gather device-specific IMEI/IMSI, unique codes which are used to identify mobile devices and the version of Android running on your device. It was also thought that the apps had access to other data as well, which led the Android team to take remediation steps for those who downloaded the apps.

Caution: Check Permissions Before Downloading Apps

As a precaution, you should always check the list of permissions requested by any app you download from the Market. In addition, the Android team is looking into additional safeguards to prevent attacks of this kind in the future.

An example of permissions to be cautious about are apps that request read/write contact data. Unless an app explicitly states a specific feature that it would use your contact list for, there isn't much of a reason to give an application this permission. There are possible exceptions though. Typical apps that require this permission include: social networking apps, typing/note taking apps, SMS replacement apps, contact management apps.

Another example is an app requesting the permission to fine (GPS) location. While not a danger for stealing any of your personal information, this will allow an application to track where you are. If you’re not downloading a mapping app, maybe this app shouldn’t be installed.

The best course of action is to use common sense. If the app is tic-tac-toe, question why it should need to read contact information or identify your GPS location.

A free eBook on Information Security from the Westfield Insurance InfoSec Blog Team

In today’s global economy, the sharing of information has become essential to business transactions. From providing information through online billing, or managing multiple passwords for various platforms and operating systems, the world of business has become more sophisticated than ever before.

Just in the last decade, organizations have seen a dramatic conversion to digital information storage. Regardless of how your company stores customer or employee information, rules of privacy and security apply.

With increasing effectiveness, hackers are able to acquire sensitive information from your office, computers, servers, mobile devices and the like. That’s why it’s vital that your business implement basic security measures to help protect sensitive information trusted to your company and its employees. Whether it’s the personal information of your employees or sensitive client information, your business needs to proactively take steps to eliminate unnecessary security exposures.

Why an Information Security eBook?

In 2004, Westfield Insurance started publishing internal tips and reminders about computer and personal security to help serve as a reminder to employees about company-specific policies, as well as the importance of protecting their personal information.

After seeing the success of this approach, we expanded the distribution to include our network of independent agents and colleagues. In 2008, we officially launched the InfoSec blog, authored by members of our IT-Risk, Security and Compliance team.

Since that time, the blog has offered our readers tips on how to best protect private information from risks such as password and system hacking, spamming, tailgating and more.

This is the final post in a three-part series on smartphones and information security. The series has covered overall security of the BlackBerry, Apple and Android mobile operating systems.

Continuing from our earlier posts on the advantages and challenges of the Blackberry and Apple iOS, we are concluding with Google’s Android operating system (OS).

Android is a Linux-based open-source platform whose unified progress is sponsored by Google. Android Inc. developed Android OS circa 2004 and was purchased by Google in 2005. The OS caught on like wild fire and is used by literally dozens of companies who are creating tablets, phones and myriad other form factors around it. Despite competition from Apple and Blackberry, 2010 was a huge year for Google. With more than 250,000 apps available on the Android Market, the platform saw an 861 percent increase in app sales.

Additionally, customer intelligence firm Market Force Information recently released findings from a survey on smartphones, which indicated Android’s current appeal over its competition. According to a Feb. 22, 2011 Market Force press release, “When asked which smartphone they would purchase, 34% of survey respondents said Android, while only 21% said iPhone, and 12% said Blackberry.”

Android OS Security Concepts

A major aspect of the Android security model resdies in the interface of the platform’s OS application layers and is implemented by running each application in its own efficient Dalvik virtual machine.

From the end user's perspective the effect is quite similar to sandboxing in Apple’s iOS. Each application’s default view of the device is that it has the entire device to itself, i.e., unless it is explicitly permitted to see other apps, its default view is that it is the only application on the device.

How this works is that when a developer is coding and packaging an application, they must declare what device resources, e.g. GPS, Bluetooth, W-Fi, etc. the application needs to use. This is necessary to build the application but that information is then also used when the end-user installs the app! This user notification takes the form of an install-time dialog that indicates the list of resources needed on the device to run that application. So, depending on what resources are listed, the user can either accept, or refuse, installation. For example, if you can’t figure out why the first person shooter game “I Spy On U” wants access to the GPS information on the phone, then you could simply terminate the installation.

Android vs iPhone – Swiss Army Knife vs Sabatier Fine Cutlery

The Android environment is much less centrally controlled than Apple’s iOS. For example, users can skip the Android Market altogether, and download an application directly from a developer’s web site. Of course, you do so at your own risk. The developer might have bad intentions or, if the developer’s download server has been compromised, and his downloads tampered with, you may be getting “more than you bargained for”. Many Android fans suggest that the healthy skepticism that the Android openness encourages is the only sane default attitude and that Apple users dangerously naïve to believe that “because it came from iTunes App Store it must be safe and well-behaved.”

Incidentally to take complete and utter control of your Android device from the carrier you will need to “root” the phone. “Rooting” is the equivalent of jailbreaking an Apple iOS device, which, as described in the iOS edition of this blog, pretty much lets the end user do anything the hardware is capable of.

Android Virtual Phones

Improving upon the user and developer experience with Android, virtualization software company VMware has created a new offering that changes the platform interface, called Mobile Virtualization Platform (MVP).

MVP is similar to the Dalvik VMs of Android; however, whereas the virtual machine presented by Dalvik is an idealized JVM-like set of resources, the VMware VM is more like a thin layer of virtualized hardware implemented as a so-called hypervisor. This allows a carrier or end-user to install multiple virtual phones! E.g., on a phone model sold by multiple carriers or by one carrier with multiple versions – like an HP phone that runs either WebOS or Win 7 Mobile – if there was a version of the MVP hypervisor for HP mobile phone hardware, one could run both a Win 7 Mobile and a WebOS phone instance on the same hardware at the same time and “flip” between them. The Win 7 and WebOS phones don’t even “know” the other personality is resident on the same hardware. This example is hypothetical but intriguing.

These “guest virtual phones”, running atop the MVP hypervisor, look and act like full-fledged phones! Besides being interesting technology, VMware’s mainstream concept is that a device owner can have one phone with multiple “personalities” – like a work phone and a personal phone but on a single handset. With this ability, a corporate IT department could manage the “work phone,” while the owner could have complete control over the personal side. The MVP platform is mature to the point of being released for some of the most popular phone hardware and it only remains for the phone manufacturers and carriers to embrace it.

What has your experience been?

Have you experienced any issues with your Android device? Have you felt the need to “root” the device? If so, what drove you there; curiosity, annoying carrier apps which you couldn’t delete? How many apps have you installed? Did you get them straight from the developer’s site or the Android Market? Have you ever refused application installation because of the resource the app was asking to use? We’d like you to share your thoughts and questions with us.

Check out the other posts in this series, and stay tuned for more posts on information security with the leading smartphone operating systems:

As mentioned previously, the iPhone has been making waves in the industry concerning its recent introduction to the Verizon Wireless network. Regardless of the initial customer turnout for Verizon’s in-store release, the iPhone is still considered one of the most highly respected and coveted smartphones in the market.

Exclusivity of the iPhone iOS

The iPhone, iPod Touch and iPad now run iOS 4.2. Apple has not only changed its major version, but also changed its name — from iPhone OS to iOS — in recognition of the fact that voice phone functions are a shrinking fraction of their mobile devices’ functionality.

So, what's the main differentiator between early smartphones and iPhone? I believe the essential “newness” was that Apple inserted the iPhone into its maturing iPod/iTunes content ecosystem and added the App Store. This closed environment gives users a unified device experience within Apple’s “walled garden.” Apple prides itself on having created a trusted, friendly device that, conveniently for Apple, only downloads music, videos, podcasts and apps from the iTunes App Store.

While most iPhone owners find this state of affairs comforting, some find it frustrating. The ultimate form of challenging the control of Apple and their carrier at the device level is a process known as “jailbreaking”. Jailbreaking removes the controls, limitations and safeguards put in place by Apple, thus enabling the device to access and run applications, extensions and themes available outside of Apple’s App Store. However, the added freedom comes with a tradeoff because the App Store is part of the Apple “cocoon of security.” While Apple makes no guarantees (in their end user agreement) that apps will not misbehave, they do take more effort than any other vendors to assure that an application does what it says it does and only that. They also restrict content they deem explicit.

iOS Security Benefits and Weaknesses

In addition to scrutinized applications, Apple’s iOS uses a “sandboxed application” philosophy. A sandbox is a default installation state of no access to OS level objects, such as persistent storage or executable. The sandboxed app can, of course, access its own data and network resources freely, but can’t reach into the phone’s OS or even “talk to” other applications except in very controlled ways. This makes it harder to write applications that cooperate via drag and drop, etc., but improves security significantly. It makes it harder for applications to spy on and export each other’s data, and more straightforward when uninstalling an application and cleaning up its associated data. If an employer controls the apps and deletes the CRM app, the CRM’s database of company confidential customer information is deleted with it.

Of course, retaining our healthy skepticism, iOS is just a device operating system and like all large complex software systems is not exempt from bugs and security issues:

Just this month (Feb. 2011) the Frauenhofer Institute SIT, exploited an iOS stored password/encryption vulnerability. Via the aforementioned jailbreaking process, the SIT research team was able to crack into stored iOS password vault, called the Keychain, in as little as six minutes. In addition to the hardware encryption key for that device's storage, where application data would be stored, the Keychain contains user account/password pairs for such things as websites, email accounts, wi-fi hotspots, etc. Optimistically, since Apple controls the ecosystem from the hardware up, they can rework the affected encryption architecture and system libraries to use the hardware in a different way to restore security to the iOS devices out there. This should be an advantage of a monolithic device provider.

Apple continues to make iOS more enterprise friendly with hooks to email and other corporate services considered critical. For example, companies can control whether the device locks its screen after an idle interval and requires a password to get in. Or, after say, ten failed attempts to get into the device, it wipes itself (data and applications or just the corporate controlled data and applications). It can now be remotely wiped on demand by a command sent from a company IT security department.

What has your experience been?

Do you love the security of Apple’s walled garden or is it driving you nuts? Are you excited or worried about switching from your current smartphone to an iPhone? We’d like you to share your thoughts and questions with us.

Check out the first post in this series, and stay tuned for additional posts on information security with the leading smartphone operating systems:

This is the first post in a three-part series on smartphones and information security. The series will discuss overall security of the BlackBerry, Apple and Android mobile operating systems.

Today, it seems like everyone has, or is planning to get, a smartphone. From recent buzz surrounding the much-anticipated Verizon iPhone, to speculations on the staying power of the Android’s market dominance, the focus has been on smartphones and their presumed takeover of the mobile market.

The Basics of Smartphones

A smartphone combines the elements of a normal mobile phone with the additional features of a personal digital assistant (PDA). The convenience provided by the marriage of these technologies is huge, especially for those needing constant connection to personal or professional communication systems. For more information, read Liane Cassavoy’s article: What Makes a Smartphone Smart?

Be it the stalwart BlackBerry, the utopian Apple iOS, or the Swiss army knife Android platform, increasing numbers of corporate users — from the C-level to the mail room clerk — are becoming enamored, if not attached at the hip, to their mobile devices.

Not only are they used for personal communications, such as calls, texting, email and web browsing, but we have also grown to rely on them for work. If your business information is being shared via smartphone, it’s important that you understand the security models of the leading smartphones.

BlackBerry - Apparent Strengths can Become Weaknesses

Long the paradigm of tight control and the only smartphone approved for use by the US Government employees, the BlackBerry has to some extent been rendered a victim of its own success.

The BlackBerry OS (BBOS)/BlackBerry Enterprise Server (BES) system implements an exquisitely fine-grained security layer that allows administrators to define hundreds of configuration settings. For example, you can set the encryption of the device contents down to the level of the key length and algorithm to use. On other devices, “whole device encryption” or “application encryption” is either on or off and the device maker has chosen the algorithm and key lengths. BlackBerry’s placing this control in the hands of the users results in an embarrassment of riches of sorts because when a configuration setting can be controlled, there is a tendency to change the default to something “more secure.” But as a consequence, going forward, the complexity of dozens of such choices must be managed. Managed in the sense of brought forward to hardware models, tested on new versions of the BB OS, etc. For the customer this is a potentially huge time sink. For the device and OS maker it creates an enormous burden of legacy compatibility. We have seen this sort of phenomena occur with MS Windows.

In BlackBerry’s defense, they have tried to control management complexity. For example, these customizations can be bundled into named configurations (e.g., “Sales Config”, “IT Config”, etc.) and distributed to the BlackBerry population based on job role. But remember, BlackBerry has been playing hardware catch up with touchscreen phones, and now tablets, and has re-versioned it's operating system through from 4.x to 6.x in the space of 36 months. Bringing the aforementioned custom configurations forward though revisions of the BBOS,BES and dozens of new device models is quite challenging. Moreover, over the next couple years, RIM is moving new devices entirely from the proprietary BBOS to QNX, a real-time microkernel OS!

BlackBerry Availability

In general BlackBerry has been a very robust and reliable platform although they have had some bobbles (not surprising due to their long lived number one smartphone position).

As with any device, you run the risk of experiencing system failures and service blackouts, which can result in serious problems for highly dependent users. For some BlackBerry customers, this dreaded occurrence became a reality in late January 2011, as the BlackBerry Internet Service experienced a brief outage.

Another source of potential concern over availability and security is that much of the comfort and control/monitoring behind BlackBerry use resulted from the fact that all network traffic to and from the device was forced to loop all the way back through the corporate LAN (one of the main functions of the MDS service that runs in the BES) before going, say out to the Internet. The upside was that all of your corporate safeguards put in place for email and web filtering were automatically in place for the BB traffic. However, newer BB models have to some extent shot this model in the foot by including Wi-Fi which supports direct attachment to the Internet (if the corporate admins permit it) which of course means that the BB can make direct connections to potentially infected web sites.

What has your experience been?

We’d like to hear about any security issues you’ve faced with your BlackBerry, or concerns with the BBOS that have swayed you to consider an alternative smartphone system.

Stay tuned for the next two posts on information security with the leading smartphone operating systems:

Apple iOS

Google Android

John Brady is Information Security Architect Engineer at Westfield Insurance.

The U.S. military’s response to all the problems it has been having with sensitive documents appearing on WikiLeaks is to prohibit the use of removable media such as USB drives. They are even threatening court marshals. Here is an article on CNN that gets into more detail on this:

Will this be an effective way to stop information loss? It will certainly make things a little harder to get large amounts of data out of their secure networks. But, in order to be useful, information does need to move around and be accessed on multiple platforms by multiple people. As the information moves around, there are opportunities for it to move out of your organization's control. Is there an effective technical control that could be put in place to mitigate this risk?

The problem here is not technical. No technical control failed; it’s that a trusted user, with appropriate credentials and the required access needed to perform their job, has decided to violate their organization’s (the U.S. military) policies and trust. The people who are uploading this information are intentionally misusing the access that they have been granted. This is probably the worst risk that Information Security professionals everywhere have to deal with: the Trusted Insider. You know them: the high performers with positive attitudes who have been around a long time, are working on important initiatives and who would never do anything wrong.

We can monitor logs, block websites, restrict network protocols, ban USB drives, disable DVD burners, encrypt data at rest, layer on more and more technical controls … Will this address the issue and mitigate the risk?

Putting technical controls in place, like banning USB drives, makes it harder for the Trusted Insider to do bad things, but they are still there in your organization, accessing your most sensitive information. How do you mitigate the risk of information misuse by the Trusted Insider?

We'd like to hear your thoughts on this issue - please comment below.

Bill Murray leads the IT Risk Security and Compliance team at Westfield Insurance. Sharing Knowledge. Building Trust.

Have you ever been sitting in front of your computer, getting ready to purchase a gift for someone and just as you click on the checkout button you see the dreaded "Create a new account" option staring back at you? To me this means yet another password and user ID that I'll need to somehow remember but keep secure at the same time. To make matters worse, I need to figure out some way to allow my wife access to the account as well, without leaving the password lying around for any and all to pick up and use.

My idea: Create a password list!

Here's my example:

Create a simple word or text document on your computer, choose a name for the document that would normally not be interesting to someone who was searching for a password like, FinalEssayOntheMigrationofBirds.doc or VehicleRepairTips.txt.

Your first row is the purpose or website for the account, if you feel really daring you can even create a link from this name to the website where you use it. The second row is your user account or ID for that website. And the last is a set of numbers, letters, or symbols you would either append to the end of your "known" password or place in front of your "known" password.

A "known" password is a simple word that is easy to remember for you and anyone you share the list with, for example November or Snowstorm might be common shared passwords. You'll never write or type this one anywhere; it should only be known by the people who share it.

For example, let's take the information I entered above, OnlineStore1 User3251 Y78. If I was going to login to OnlineStore1, and I used the account User3251, my password would be NovemberY78.

Hope this helps keep some passwords secure this shopping season!

Jacob Harris is a Vulnerability and Forensics analyst at Westfield Insurance. Sharing Knowledge. Building Trust.

There seems to be a disconnect between want and need with respect to smartphones and information protection. Securing mobile is a “downer” along at least two main axes of mobile phone interaction: convenience and cost.

If your phone is as powerful as your laptop; meaning the operating system, the peripherals and the applications on your phone are as – or are more - sophisticated than those of your laptop then shouldn’t the security measures that protect the contents be similar? The real question here is, if you’re using your phone to process the same information as your laptop, then we have to ask – how can one justify not securing itto the same degree as your laptop?

My opinion is that the only logical answer is yes. For an increasing number of functions, phones are replacing laptops. I believe that there are ways to secure mobile phones to the same standard as laptops while minimizing the inevitable inconveniences and extra cost. The solutions require thoughtful re-evaluation and sensible compromise. Rather than slapping the old products from the laptop onto the smartphone, we should look at it as a qualitatively different platform.

Drawbacks to Treating a Smartphone like a “Small Laptop”

Here’s an example of when it may be typical to treat a smartphone as a “small laptop”.

Many companies now use URL filtering perimeter systems, such as WebSense, to prevent employees from accidentally going to infected websites. When an employee uses their laptop outside the company network, you may tell them they must “VPN into” the network before using the web. (This way, once the VPN tunnel is established, their browsing goes through the URL filter.)

It is possible to treat the smartphone like a laptop in this scenario, because there are VPN clients that work as well as the laptop version. Employees could be told to “VPN into” the corporate network before web surfing on their smartphone.

However, there are drawbacks: a) VPN clients take a fair amount of computational horsepower to run, and b) from a network architecture and management standpoint, why tunnel all that traffic from every mobile browser into the corporate core in order to turn around and go back out to the Internet?

Rather than treating the smartphone like a laptop, the solution may be to change how your URL filter works. So perhaps, instead of bringing the traffic to the filter, bring the filter to the traffic! Put the URL filter on the Internet, and everyone’s computer (smartphone or laptop) can get to it from everywhere. Companies such as WebSense and zScaler advocates and vendors of such solutions.

Speaking of changing the place where the processing happens – how about using another ancient solution? How about moving where the applications run and so, where the information is processed? I am speaking here of just using the phone as a window into the corporate computing environment. This is déjà vu all over again, the fat client/thin client debate of the 1990s – the Unix X Window system and Citrix ICA. The fact is that this class of “collapsed data center” solution, which once suffered complaints about bandwidth and server capacity issues has become increasingly viable not increasingly outdated. Since the days of the mainframe terminal sessions, the thin client paradigm was always attractive from cost, administrative and data security perspectives. Now the protocols for computing in the data center core and transmitting just the display have become more efficient and bandwidth has come down in price. Similarly, multi-core servers with dozens of gigabytes of RAM are the rule not the exception. This makes it very attractive indeed to just load the thin client app onto the smartphone and have it connect securely to the core to process corporate information which is also on the core. If the organization wants people to be able to drag and drop files or query results from the core within apps that run on the endpoint – then the endpoint needs heavy securing as described above. But if the thin client is set up so that information cannot be transferred from the core to the endpoint then one has a lot less to worry about in terms of “information leakage.” The “drag and drop” tradeoff being that the information the employee wants to transmit to their smartphone is not directly usable by other apps on their smartphone that make them more productive (e.g., transferring an address to the smartphones contact management system or its GPS app).

So where does this leave us? I think, for now, the choice is between:

a. Smartphones with powerful processors and awe-inspiring local apps and local corporate data loaded down with classical malware protections like encrypted file systems, anti-virus, URL filtering, anti-spam, personal firewalling (local or in the cloud)

b. Collapsed data center where the employees log into a virtual desktop running on a big server and all the employee ever has on their smartphone is a thin interface to corporate data on a far-away desktop

The convenience trade-off is clear – I would much prefer to be able to download a spreadsheet to the app on my phone and then hop on a plane and “play with the numbers” versus having to be on the network and constrained by my company's standard spreadsheet program.

Cost wise, the price of buying and administering standalone smartphones with high performance client software on them is much higher risk and less cost-effective than standing up a big server with desktop OS licenses, a few licenses for each app and issuing a thin client for each employee’s corporate or privately owned smartphone, laptop or desktop.

Is there is a happy medium? What do you think?

Next time we’ll discuss modifications to these paradigms that may remove some of the downsides to both, namely, data centers in the cloud and always connected mobile networking.

It seems that a number of companies are anonymously mining members profile information, creating databases and selling profiles for targeted advertising even when users have set their privacy settings to strict. At least 25 databases and advertising firms may be involved.

Many of the most popular applications are also transferring information about their users to outside companies. Three of the top ten actually transmit information about their user’s friends as well to companies, according to the article.

Facebook does have a “policy” that application developers must not share personal information with advertising companies but with over a half a million applications, some appear to be breaking that policy. Facebook claims to have disabled thousands of applications that have violated its policies.

Social networking has become an important piece of many people’s lives. I actually know people who seem to live on Facebook 24x7. Please have fun with it but remember that ANY information you put into a third party’s hands, even if they have great intentions and tell you that they will keep it safe, is completely out of your control and will be used by someone to make a profit if they can.

Wow, with an outlook like this, its no wonder why no one wants to be my Facebook friend!

Bill Murray leads the IT Risk Security and Compliance team at Westfield Insurance. Sharing Knowledge. Building Trust.

We hear a lot about adware, spyware, malware, etc. all the time. We used to hear more about viruses and worms ... have the latter been eradicated or are they still out there in the wild? In the next few weeks I'l be discussing mobile phone security (a topic many of our insurance agency partners have expressed interest in) so I'll start out with some definitions:

Adware is software that automatically downloads or displays unsolicited third party advertising material to a computer.

Malware is short for 'Malicious Software' and is the overarching term for any computer program that is written with the intent of performing unwanted acts on a computing device (including mobile phones) without the knowledge or permission of the owner or user of that device. Common types of Malware include Adware, Spyware, Trojan Horse programs,Viruses and Worms.

Spam is the term used to describe unsolicited electronic messages. Spam is generally associated with e-mail, however spam can be sent using other mechanisms too. In addition to e-mail, SMS, MMS (multi-media messaging service), IM, Tweets, FB Messages spam are all possible.

Spyware is a form of malware that is designed to steal confidential data from the computer or mobile phone it is running on. Usernames, passwords and PIN numbers are often captured by Spyware to enable its author to gain unauthorised access to the services that these credentials are intended to protect.

A Trojan Horse program is a specific form of malware. Like the Trojan Horse of Greek mythology, Trojan Horse programs trick a user into installing them on their phone or computer by masquerading as genuinely useful applications. Once installed however, the Trojan Horse will perform some unauthorised and malicious activity on the computer or phone. Trojan Horses are one reason why you should only install software on your phone or PC if you are confident that you can trust the source of this software. Trojan Horse programs differ from Viruses and Worms because Trojan Horse programs do not replicate.

A Virus program is a specific form of malware. Viruses infect phones and computers by attaching themselves to files, executables or documents. When an infected file is transferred from one device to another and the file is opened, for instance by opening an e-mail attachment, the virus infects the receiving device. Unlike worms, viruses are unable to propagate between devices automatically, they rely on some human action to transfer them from machine to machine. Once installed on a phone, a virus will make copies of itself and embed these on files found within the phone to evade simple deletion, it will also generally perform some unauthorized and malicious activity on the computer or phone.

Worms are a specific class of malware. Worms differ from viruses in that a worm spreads by transmitting itself from an infected computer or mobile phone to another vulnerable device without human intervention. In the PC space, worms typically propagate from one computer to another over network connections, including the Internet. In the mobile phone arena, worms usually use Bluetooth or MMS messaging to move from one phone to another. Most mobile operators block worm transmission by MMS (by scanning media before forwarding to recipient). Virtually all known mobile phone worms can't infect a phone without first displaying a number of prompts on the phone display. Users can block infection of their device or the spread of the worm by selecting the right response to these prompts. For instance, users can answer 'No', if prompted, to decline a connection from a nearby mobile if the user is unsure of the source.

Here are some other, more detailed definitions of malware and a taxonomy: